Deep Dive (Optional)


Exploring the solution

AWS Control Tower is tightly integrated with several other native AWS services including AWS Cloudformation, AWS SSO, and AWS Service Catalog. In this section we will explore the integrations.

CloudFormation StackSets

AWS Control Tower uses AWS CloudFormation StackSets to establish the baselines and create the guardrails across multiple accounts and regions.

When you open the Cloudformation Stacksets console in the management account you will see the following stacksets for Control Tower:

StackSet name StackSet description
AWSControlTowerBP-BASELINE-CLOUDTRAIL Configure AWS CloudTrail on all accounts
AWSControlTowerBP-BASELINE-CLOUDWATCH Configure Cloudwatch Rule, local SNS Topic, forwarding notifications from local SNS Topic to Security Topic
AWSControlTowerBP-BASELINE-CONFIG Configure AWS Config on all accounts/regions
AWSControlTowerBP-BASELINE-ROLES Creates all required baseline roles on all the accounts
AWSControlTowerBP-BASELINE-SERVICE-ROLES Creates all required service roles on all the accounts for services (like AWS Config, SNS) used by CT
AWSControlTowerBP-SECURITY-TOPICS Central monitoring and alerting using SNS and AWS CloudWatch
AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access
AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access
AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-READ-PROHIBITED StackSet for applying guardrail
AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet for applying guardrail
AWSControlTowerLoggingResources StackSet to setup required resources on Log archive Account
AWSControlTowerSecurityResources StackSet to setup required resources on Audit Account
AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1 Once the Account is provisioned this stack will be run to setup account configuration based on the baselines (Can be seen only if you create an Account with Network baselines, you will not see it in this lab)

You may see additional stacksets depending on the number of guardrails you enable on Control Tower.


AWS SSO provides a cloud native directory for granting access to users to all the AWS accounts within the Control Tower environment.

During the initial installation of Control Tower, the AWS SSO directory was created and a default AWS Control Tower Admin user was created with administrative rights to the Shared accounts. Also included are a few other common groups and permission sets that can be used to grant the appropriate level of permissions for your users. Additionally, you can create custom groups and permission sets as required by your organization.

Following are the list of pre-defined groups in AWS SSO

Group name Description
AWSAccountFactory Read-only access to account factory in AWS Service Catalog for end users
AWSAuditAccountAdmins Admin rights to cross-account audit account
AWSControlTowerAdmins Admin rights to AWS Control Tower core and provisioned accounts
AWSLogArchiveAdmins Admin rights to log archive account
AWSLogArchiveViewers Read-only access to log archive account
AWSSecurityAuditors Read-only access to all accounts for security audits
AWSSecurityAuditPowerUsers Power user access to all accounts for security audits
AWSServiceCatalogAdmins Admin rights to account factory in AWS Service Catalog

Following are the list of pre-defined permission sets in AWS SSO

Permission set Description
AWSReadOnlyAccess This policy grants permissions to view resources and basic metadata across all AWS services
AWSPowerUserAccess Provides full access to AWS services and resources, but does not allow management of Users and groups
AWSServiceCatalogAdminFullAccess Provides full access to AWS Service Catalog admin capabilities
AWSOrganizationsFullAccess Provides full access to AWS Organizations
AWSAdministratorAccess Provides full access to AWS services and resources
AWSServiceCatalogEndUserAccess Provides access to the AWS Service Catalog end user console

AWS CLI Integration with AWS SSO

With the release of version 2 of the AWS CLI, you are able to integrate CLI credentials with AWS SSO to eliminate the need for importing Access Key information from the AWS SSO user portal. This implementation allows all users of AWS Control Tower to authenticate with AWS SSO at the command line and be granted permissions to the AWS account they wish to work with based on the profile they select during login.

The full documentation and implementation instruction are in the AWS Command Line Interface User Guide

Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage deployed IT services and your applications, resources, and metadata. This helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.

For more information please use the AWS Service Catalog workshop


Copyright 2021, Amazon Web Services, All Rights Reserved.